A vulnerability classified as problematic has been found in Progress Chef Infra Client (Automation Software). Affected is some unknown functionality of the file /var/log/messages of the component Knife Bootstrap Command Handler. The manipulation with an unknown input leads to a information disclosure vulnerability (Private Key). CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. CVE summarizes:

The knife bootstrap command in chef leaks the validator.pem private RSA key to /var/log/messages.

The bug was discovered 12/14/2015. The weakness was published 09/21/2017 (oss-sec). The advisory is shared for download at openwall.com. This vulnerability is traded as CVE-2015-8559 since 12/14/2015. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability was handled as a non-public zero-day exploit for at least 647 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 15.0.293 eliminates this vulnerability. The upgrade is hosted for download at docs.chef.io. A possible mitigation has been published 2 years after the disclosure of the vulnerability.

Productinfo

Type

• Automation Software

Vendor

• Progress

Name

• Chef Infra Client

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion